How to fix CVE-2025-25291?

Within 24 hours: Identify all affected systems running ruby-saml and apply vendor patches immediately. Vendor patch is available.

Is Jwt Attack affected by CVE-2025-25291?

Organizations using ruby-saml face critical risk from CVE-2025-25291, a signature bypass vulnerability rated CVSS 9.3. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems.

CVE-2025-25291

CRITICAL

2025-03-12 [email protected]

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:31 vuln.today

Patch Released

Mar 28, 2026 - 18:31 nvd

Patch available

PoC Detected

Nov 03, 2025 - 20:17 vuln.today

Public exploit code

CVE Published

Mar 12, 2025 - 21:15 nvd

CRITICAL 9.3

Description

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

Analysis

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.8%.

Technical Context

This vulnerability is classified under CWE-347. ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue. Affected products include: Omniauth Omniauth Saml, Onelogin Ruby-Saml, Netapp Storagegrid.

Affected Products

Omniauth Omniauth Saml, Onelogin Ruby-Saml, Netapp Storagegrid.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +13.8

CVSS: +46

POC: +20

CVE-2025-25291 vulnerability details – vuln.today

Back

CVE-2025-25291

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-25291

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code